Predefined admin reports

This section provides a short description of predefined reports for the admin user.

Note: If data level security at the observed data level is enabled (see Data level security filtering), then the audit process output is filtered so users see only the information about their databases.
Enterprise reports with custom tables: If for any reason, the central manager did not receive data from a managed unit for the custom table in an enterprise report in the last 24 hours, the Guardium® UI banner displays the message:
Central manager experienced failure getting data from collector. Central manager experienced error in the last 24 hours uploading data from collector. It's logged in both the log named cmDataUpload.log and the following report
Click the report name to open the Scheduled Jobs Exceptions report and view details of the managed units that had exceptions.

The predefined admin reports are listed in alphabetical order.

Active Risk Spotter - Risky Users Scores

This report details the current risky users, including the server IP, the overall risk score, and scores for all of the risk indicators.

Active S-TAPs changed

This alert only runs on Central Manager systems. S-TAP Host, S-TAP version, S-TAP changed, timestamp and count are shown.

Domain Based on Query Main Entity
Internal - not available Active S-TAPs changed Not available
Run-Time Parameter Operator Default Value
Period From none none

Admin User Logins

Summary of logins to the database using a database user name defined in the Admin Users group. The report displays the client IP address from which the user with administrative privileges logged into the database, database user name, source program, session start date and time, and session total for that record.

Domain Based on Query Main Entity
Access Admin Users Login Session
Run-Time Parameter Operator Default Value
Period From >= NOW -1 DAY
Period To <= NOW

Aggregation/Archive Log

This report lists Guardium aggregation activity by Activity Type. Each row of the report contains the Activity Type, Start Time, File Name, Status, Comment, Guardium Host Name, Records Purged, Period Start, Period End, and count of log records for the row. You can limit the output by setting the Guardium Host Name run-time parameter, which is set to % by default (to select all servers). The Records Purged column contains a count of records purged only when the activity type is Purge.

Domain Based on Query Main Entity
Aggregation/Export/Import Aggregation/Archive Log Agg/Archive Log
Run-Time Parameter Operator Default Value
Period From >= NOW -1 WEEK
Period To <= NOW
Guardium Host Name LIKE %

12.1 and later Aggregator Global Collector ID

This report maps the collector ID and collector name to the aggregator.

Domain Based on Query Main Entity
Aggregator Global Collector ID Aggregator Global Collector ID Aggregator Global Collector ID
Run-Time Parameter Operator Default Value
Period From >= NOW -3 HOUR
Period To <= NOW
Show Aliases Radio buttons Default
Remote Data Source Drop-down menu  
Refresh Rate Drop-down menu 0

All Guardium Applications - Roles

This menu pane displays two reports: All Roles - Application Access - and All Roles; User.

All Roles - Application Access

For each role, this report lists the number of applications to which it is assigned. To list the applications to which a role is assigned, click on the role and drill down to the Record Details report.

Domain Based on Query Main Entity
Internal - not available All Roles - Application Access Not available
Run-Time Parameter Operator Default Value
Period From >= NOW -100 MONTH
Period To <= NOW

All Roles - User

For each role, this report lists the number of users to which it is assigned. To list the users to which a role is assigned, click on the role and drill down to the Record Details report.

Domain Based on Query Main Entity
Internal - not available Role - User Not available
Run-Time Parameter Operator Default Value
Period From >= NOW -100 MONTH
Period To <= NOW

Analytic Outlier Details

Domain Based on Query Main Entity
Analytic Outliers Details Analytic Outliers Details Analytic Outliers Details
Run-Time Parameter Operator Default Value
Period From >= NOW -3 HOUR
Period To <= NOW
DB User name LIKE %
DB Name LIKE %
Source program LIKE %
Object LIKE %
Verb LIKE %
Client hostname LIKE %
OS user LIKE %

Analytic Outlier Details List - enhanced

Domain Based on Query Main Entity
Analytic Outliers Details Analytic Outliers Details Analytic Outliers Details
Run-Time Parameter Operator Default Value
Period From >= NOW -3 HOUR
Period To <= NOW
DB User name LIKE %
DB Name LIKE %
Source program LIKE %
Object LIKE %
Verb LIKE %
Client hostname LIKE %
OS user LIKE %

Analytic Outlier Summary

Domain Based on Query Main Entity
Analytic Outliers Details Analytic Outliers Details Analytic Outliers Details
Run-Time Parameter Operator Default Value
Period From >= NOW -3 HOUR
Period To <= NOW
Server IP LIKE %
DB User name LIKE %
DB Name LIKE %
OS User LIKE %

Analytic Outlier Summary by Date - enhanced

Domain Based on Query Main Entity
Analytic Outliers Details Analytic Outliers Details Analytic Outliers Details
Run-Time Parameter Operator Default Value
Period From >= NOW -3 HOUR
Period To <= NOW
Server IP LIKE %
DB User name LIKE %
DB Name LIKE %
OS User LIKE %

Analytic Threat Case Details

This report presents details of an identified threat case. You need to enter the case ID and the datasource to view the report.

Domain Based on Query Main Entity
Eagle Eye Not available Symptom type
Run-Time Parameter Operator Default Value
Enter Value for Case Id   text field
Show Aliases   Radio buttons (On, Off, Default)
Remote Data Source   Drop-down menu
Refresh rate in seconds   0

Appliance Settings

This report displays configuration settings from a Guardium system. Use the appliance settings report to quickly review and validate Guardium settings.

Domain Based on Query Main Entity
Internal - not available Active S-TAPs changed Not available
Run-Time Parameter Operator Default Value
Show Aliases   Radio buttons (On, Off, Default)
Remote Data Source   Drop-down menu

Application Objects Summary

This report is a summary of every definition in the Guardium application. For instance, type Oracle in the ObjectNameLike space in the Run-Time Parameters page of Application Objects and find all the Object Types and Object Descriptions where Oracle is used.

Note: This report presents metadata and as such is not filtered through the Data Level Security mechanism. This metadata could include database related information such as Oracle SIDs.
Domain Based on Query Main Entity
Application Objects Application Objects Summary Application Objects
Run-Time Parameter Operator Default Value
ObjectNameLike % %
ObjectTypeNameLike % %

Approved TAP clients

Only specific S-TAPs are permitted to connect to the Guardium application. This report shows which S-TAP is approved and the status of it.

Domain Based on Query Main Entity
Internal - not available Approved TAP Clients Not available
Run-Time Parameter Operator Default Value
Period From >= NOW -1 DAY
Period To <= NOW

Assessment Datasources

This report is a summary of datasources that are linked to a security assessment.

Domain Based on Query Main Entity
Internal - not available Assessment and the datasources (or datasource groups) used by the assessment SECURITY_ASSESSMENT
Run-Time Parameter Operator Default Value
Assessment LIKE %
Refresh rate in seconds   0

Assessment Roles Allowed

This report is a summary of the roles that are mapped to a security assessment.

Domain Based on Query Main Entity
Internal - not available Assessment and the roles defined in the assessment SECURITY_ASSESSMENT
Run-Time Parameter Operator Default Value
Assessment LIKE %
Refresh rate in seconds   0

Assessment Tests

This report lists the tests that are included in a security assessment.

Domain Based on Query Main Entity
Internal - not available Assessment and the associated tests that are included in the assessment SECURITY_ASSESSMENT
Run-Time Parameter Operator Default Value
Period From >= 2009-01-01 00:00:00
Period To <= NOW
Assessment LIKE %
Test Description LIKE %
Assessment ID LIKE %
Test ID LIKE %
Show Aliases   Radio buttons (On, Off, Default)
Remote Data Source   Drop-down menu
Refresh Rate (Seconds)   0

Available VA Tests

Following reports are available as part of Available VA Tests
  • Available VA Tests
  • Available VA Tests - Detailed
  • 12.1 and later Available VA Tests - CIS
  • 12.1 and later Available VA Tests - STIG

The Available VA Tests report and Available VA Tests - Detailed report lists all the security assessment tests in the Guardium system where the reports are generated. The Available VA Tests - Detailed report is a more comprehensive version of the Available VA Tests report. The Available VA Tests - CIS and Available VA Tests - STIG reports provide ability to filter VA Available Tests report by CIS and STIG, respectively.

Available VA Tests report

Use the following selections to configure the Available VA Tests report:
Domain Based on Query Main Entity
VA Tests Available VA tests Assessment Tests
Run-Time Parameter Operator Default Value
Test Type LIKE %
Category LIKE %
Datasource Type LIKE %
Severity LIKE %
Show Aliases   Radio buttons (On, Off, Default)
Remote Data Source   Drop-down menu
Refresh Rate (Seconds)   0

Available VA Tests - Detailed report

Use the following selections to configure the Available VA Tests - Detailed report:
Domain Based on Query Main Entity
Internal - not available Internal - not available Internal - not available
Run-Time Parameter Operator Default Value
Period From >= 2009-01-01 00:00:00
Period To <= NOW
Test ID LIKE %
Test Description LIKE %
Audit Config Template ID LIKE %
Datasource Type LIKE %
Severity LIKE %
Category Name LIKE %
Short Description LIKE %
External Reference LIKE %
Can Have Exceptions Group LIKE %
Show Aliases   Radio buttons (On, Off, Default)
Remote Data Source   Drop-down menu
Refresh Rate (Seconds)   0
12.1 and later Available VA Tests - CIS
Domain Based on Query Main Entity
Internal - not available Internal - not available Internal - not available
Run-Time Parameter Operator Default Value
Enter Value for Test ID LIKE %
Enter Value for Data source Type LIKE %
Enter Value for Severity LIKE %
Enter Value for the Test Type LIKE %
Enter Value for Category LIKE %
Show Aliases   Radio buttons (On, Off, Default)
Remote Data Source   Drop-down menu
Refresh Rate   0
12.1 and later Available VA Tests - STIG
Domain Based on Query Main Entity
Internal - not available Internal - not available Internal - not available
Run-Time Parameter Operator Default Value
Enter Value for Test ID LIKE %
Enter Value for Data source Type LIKE %
Enter Value for Severity LIKE %
Enter Value for the Test Type LIKE %
Enter Value for Category LIKE %
Show Aliases   Radio buttons (On, Off, Default)
Remote Data Source   Drop-down menu
Refresh Rate   0

Audit Process Log

Audit Process Log

This report shows a detailed activity log for all tasks including start and end times. This report is available for admin users. Audit tasks show start and end times, however the start and end of Security Assessments and Classifications (which go to a queue) is the same.

The Audit Process has been expanded to the signoff of specific rows beyond a user signing off on the entire audit process. Displays a list of what has been signed off and what is the status of specific rows.

Use this Audit Process Log to stop audit processes. Tasks can be stopped only if the tasks have not been run or are running. Any more tasks that have not started will not execute. Partial results will not be delivered. If tasks are complete, stopping the audit process will not stop the sending of the results. Stopping the audit process is done through a GrdAPI command, invoke api, from the Audit process Log report. For any user it only shows the line belonging to the user (but without all the details - just the tasks). Admin users get to see all the details and can stop anyone's runs. Users can only stop their own runs.

Stopping the audit process does not cancel queries running using a remote source. Neither will such online reports using a remote source.

Not supported for Privacy sets and External Feed. This means that if the Privacy set task was started or the External Feed has started - it will finish even if the process is stopped (as opposed to a query which will be killed).

Audit Process Log ID

Login Name

Run ID

Timestamp

Audit Process ID

Audit Process Description

Audit Task ID

Audit Task Description

Event Type

Detail

Count of Audit Process Log

Available Patches

Displays a list of available patches. There are no run-time parameters. The reporting domain is system-only.

Audit Job Task Security Assessment

Displays the definition of the audit process job and the task name that runs a security assessment.

Domain Based on Query Main Entity
Internal - not available Internal - not available Internal - not available
Run-Time Parameter Operator Default Value
Process ID LIKE %
Task ID LIKE %
Process Description LIKE %
Task Description LIKE %
Assessment ID LIKE %
Assessment Description LIKE %
Refresh Rate (Seconds)   0
Run-Time Parameter Operator Default Value
Process ID LIKE %
Task ID LIKE %

12.1 and later Audit Process Task Details

Provides audit process information including the Audit process items, audit tasks and the record count for the audit tasks that belong to the audit process items. This report is useful for validating the data that is sent to SIEM and ensures the same number of records are sent in a file.

Domain Based on Query Main Entity
Internal - not available All Roles - Application Access Not available
Run-Time Parameter Operator Default Value
Period From >= NOW - 3 HOURS
Period To <= NOW
Remote Data Source Drop-down menu --
Show Aliases Radio buttons Default
Refresh Rate (Seconds) Drop-down menu 0

Buffer Usage Monitor

Provides an extensive set of buffer usage statistics. For more information, see BigData Intelligence Buff Usage Monitor domain.

Domain Based on Query Main Entity
Buffer Usage Buff Usage Monitor Sniffer Buffer Usage Monitor
Run-Time Parameter Operator Default Value
Period From >= NOW -1 DAY
Period To <= NOW

Cassandra DB Object privileges granted to grantee

Lists all the Cassandra DB Object privileges that are granted to users and roles.

Domain Based on Query Main Entity
Cassandra DB Object privileges granted to grantee Cassandra DB Object privileges granted to grantee Cassandra DB Object privileges granted to grantee
Run-Time Parameter Operator Default Value
Period From >= NOW -3 HOUR
Period To <= NOW
Enter Value for Role LIKE %
Enter Value for Resource LIKE %
Enter Value for Permission LIKE %
Show Aliases Radio buttons Default
Remote Data Source Drop-down menu  
Refresh Rate (Seconds) Drop-down menu 0

Cassandra Object privileges granted with grant option

Lists all the Cassandra users and roles with Object privileges that can be granted to another user.

Domain Based on Query Main Entity
Cassandra Object privileges granted with grant option Cassandra Object privileges granted with grant option Cassandra Object privileges granted with grant option
Run-Time Parameter Operator Default Value
Period From >= NOW -3 HOUR
Period To <= NOW
Enter Value for Role LIKE %
Enter Value for Resource LIKE %
Enter Value for Grantable LIKE %
Show Aliases Radio buttons Default
Remote Data Source Drop-down menu  
Refresh Rate (Seconds) Drop-down menu 0

Cassandra Role granted to User Role

Lists all the Cassandra roles that are granted to a user.

Domain Based on Query Main Entity
Cassandra Role granted to User Role Cassandra Role granted to User Role Cassandra Role granted to User Role
Run-Time Parameter Operator Default Value
Period From >= NOW -3 HOUR
Period To <= NOW
Enter Value for Role LIKE %
Enter Value for Member LIKE %
Show Aliases Radio buttons Default
Remote Data Source Drop-down menu  
Refresh Rate (Seconds) Drop-down menu 0

Cassandra SuperUser Role

Lists all the Cassandra users with a SuperUser role.

Domain Based on Query Main Entity
Cassandra SuperUser Role Cassandra SuperUser Role Cassandra SuperUser Role
Run-Time Parameter Operator Default Value
Period From >= NOW -3 HOUR
Period To <= NOW
Enter Value for Role LIKE %
Show Aliases Radio buttons Default
Remote Data Source Drop-down menu  
Refresh Rate (Seconds) Drop-down menu 0

CAS Deployment

This CAS reports details the Database type, OS name, Hostname and OS type.

Domain Based on Query Main Entity
CAS CAS Deployment Not available
Run-Time Parameter Operator Default Value
DB Type Like %
OS_Name Like %
Hostname Like %
OS_Type Like %

Changes (CAS)

CAS Change Details

For each monitored item, the changes are listed in order by owner.

Domain Based on Query Main Entity
CAS Changes CAS Change Details Host Configuration
Run-Time Parameter Operator Default Value
DB_Type Like %
Host_Name Like %
Instance_Name Like %
Monitored_Item Like %
OS_Type Like %
Type Like %

CAS Saved Data

This report lists the data saved for each change detected. This report is sorted by host name, and then by the most recent modification time.

Domain Based on Query Main Entity
CAS Changes CAS Saved Data Saved Data
Run-Time Parameter Operator Default Value
Host_Name Like %
Monitored_Item Like %
Saved_Data_Id Like %

Configuration (CAS)

CAS Instances

This report lists CAS instance definitions (a CAS instance applies a template set to a specific CAS host). The default sort order for this report is non-standard. The sort keys are, from major to minor: Host Name (ascending), Instance (ascending) and Last Status Change (descending).

Domain Based on Query Main Entity
CAS Config CAS Instances Monitored Item Details
Run-Time Parameter Operator Default Value
Host_Name Like %
OS_Type Like %
DB_Type Like %
Instance Like %

CAS Instance Config

This report lists CAS instance configuration changes. The default sort order for this report is non-standard. The sort keys are, from major to minor: Host Name (ascending), Instance (ascending) and Last Status Change (descending). You can limit the output by using any of the following runtime parameters, which select all values by default.

Domain Based on Query Main Entity
CAS Config CAS Instance Config Monitored Item Details
Run-Time Parameter Operator Default Value
Host_Name Like %
OS_Type Like %
Template_Id Like %

Connection Profiling List

Connection Profiling List is a group of all allowed connections (the Connection Profiling List show all connection details).

Domain Based on Query Main Entity
Internal - not available Connection Profiling List Client Server
Run-time parameter Operator Default Value
Query From Date >= NOW -1 DAY
Query To Date <= NOW

Connections Quarantined

Guardium policies can be used to terminate or quarantine connections in real time. Use threshold alerts, based on queries. See Quarantine under the Policies topic for configuration instructions.

Domain Based on Query Main Entity
Connection Quarantine Connections Quarantined Connection Quarantine
Period From >= NOW -1 DAY
Run-Time Parameter Operator Default Value
Server IP LIKE %
DB User LIKE %
Server Name LIKE %
Period From >= NOW -1 DAY
Period To <= NOW

CPU Tracker

Lists the Software TAP Host and number of CPUs on machines running S-TAPs.

Domain Based on Query Main Entity
Internal - not available   Not available
Run-Time Parameter Operator Default Value
None    

CPU Usage

By default, displays the CPU usage for the last two hours. This graphical report is intended to display recent activity only. If you alter the From and To run-time parameters to include a larger timeframe, you may receive a message indicating that there is too much data. Use a tabular report to display a larger time period.

Domain Based on Query Main Entity
Sniffer Buffer CPU Usage Sniffer Buffer Usage Monitor
Run-Time Parameter Operator Default Value
Period From >= NOW -2 HOUR
Period To <= NOW

Databases by Type/ Number of DB per type

Server type and client sources for each database type monitored.

Domain Based on Query Main Entity
Access Number of db per type Client/Server
Run-Time Parameter Operator Default Value
Period From >= NOW -1 DAY
Period To <= NOW

Databases Discovered

For the reporting period, for each Discovered Port entity where the DB Type attribute value is NOT LIKE Unknown, this report lists the Probe Timestamp, Server IP, Sever Host Name, DB Type, Port, Port Type, and count of Discovered Ports for the row.

Domain Based on Query Main Entity
Auto-discovery Databases Discovered Discovered Port
Run-Time Parameter Operator Default Value
Period From >= NOW -1 DAY
Period To <= NOW
PortNotLike NOT LIKE No default value.

Datamart Extraction Log

The extraction log has data about both table and file extractions. It presents:Data Mart Name, Collector IP, Server IP, from-time, to-time, ID, run started, run ended, number of records, status, error code.

Data Sources

Lists all datasources defined: Data -Source Type, Data-Source Name , Data-Source Description, Host, Port, Service Name, User Name, Database Name, Last Connect, Shared, and Connection Properties..

You can restrict the output of this report using the Data Source Name run time parameter, which by default is set to “%” to select all datasources.

Domain Based on Query Main Entity
Internal - not available Data-Sources Not available
Run-Time Parameter Operator Default Value
Data Source Name LIKE %
Period From >= NOW -1 DAY
Period To <= NOW

Days not exported or archived

This report lists the days whose data was not exported or archived, for a system that has a daily archive or export, and if Allow purge without exporting or archiving is not selected. For more details, see Viewing days whose data was not archived or exported.

Domain Based on Query Main Entity
Catalog Days not exported or archived Entry
Run-Time Parameter Operator Default Value
Period From >= NOW -2 WEEK
Period To <= NOW
Show Aliases Radio buttons (On, Off, Default) Default
Remote Data Source   Drop-down menu
Refresh rate in seconds   0

DB Users Mapping List

The mapping between database users (Invokers of SQL that caused a violation) and email addresses for real time alerts.

Domain Based on Query Main Entity
Auto-discovery DB Users Mapping List Guardium Users Login
Run-Time Parameter Operator Default Value
Period From >= NOW -1 DAY
Period To <= NOW

Default DB Users Enabled

This report details the default users found enabled after a database scan through the group of default users and list of servers supplied to the Non-credential Scan API. When an enabled user is found within a database, that occurrence of database/user is reported only once. Subsequent scans will update the timestamp and database version of the database. If a subsequent scan does not find a previously found user the timestamp remains unaffected so as to keep a history with the last time the user was found enabled on a database. Scans are run under the Classifier Listener and submitted jobs (with the non_credential_scan API) may be tracked using the Guardium Job Queue report.

Domain Based on Query Main Entity
Default DB Users Enabled Default DB Users Enabled Default DB Users Enabled
Run-Time Parameter Operator Default Value
Period From >= NOW -1 DAY
Period To <= NOW

Definitions Export/Import Log

This report lists Guardium export/import activity by Activity Type. Each row of the report contains the Activity Type, Start Time, File Name, Status, Comment, and count of log records for the row.

Domain Based on Query Main Entity
Aggregation/Archive Export-Import Definitions Log Agg/Archive Log
Run-Time Parameter Operator Default Value
Period From >= NOW -1 DAY
Period To <= NOW

Discovered Instances

This S-TAP report details the following information:

Timestamp, Host, Protocol, Port Min, Port Max, KTAP DB Port, Instance Names, Client, Exclude Client, Proc Names, Named Pipe, DB Install Dir, Proc Name, DB2® Shared Mem Adjustment, DB2 Shared Mem Client Position, DB2 Shared Mem Size, Unix Socket, DB User, DB Version.

Columns are populated as relevant, according to the database type.

Domain Based on Query Main Entity
Discovered Instances Discovered Instances Discovered Instances
Run-Time Parameter Operator Default Value
Period From >= NOW -1 DAY
Period To <= NOW

Discovered Instances Rules Add or Replace Log

This report details the following information: Timestamp, Host, Result, Report Only.

Domain Based on Query Main Entity
Discovered Instances Discovered Instances Rules Add or Replace Log Discovered Instances Rules Results
Run-Time Parameter Operator Default Value
Period From >= NOW -3 HOUR
Period To <= NOW
Enter Value for Report Only (Yes/No) Like %
Show Aliases Radio buttons (On, Off, Default) Default
Remote Data Source   Drop-down menu
Refresh rate in seconds   0

Discovered Instances Rules Results

This report details the following information:

Timestamp, Host, Result Message, Result Type, Report Only, Identifier, Discovered, Protocol, Port Min, Port Max, Instance Name, Named Pipe, DB Install Dir, Proc Name, DB2 Shared Mem Adjustment , DB2 Shared Mem Client Position, DB2 Shared Mem Size, Unix Socket, DB User, DB Version.

Domain Based on Query Main Entity
Discovered Instances Discovered Instances Rules Results Discovered Instances Rules Results
Run-Time Parameter Operator Default Value
Period From >= NOW -3 HOUR
Period To <= NOW
Enter Value for Report Only (Yes/No) Like %
Show Aliases Radio buttons (On, Off, Default) Default
Remote Data Source   Drop-down menu
Refresh rate in seconds   0

Dropped Requests

Tracks requests dropped by an inspection engine (Exception Description = Dropped database request). Under extremely rare, high-volume situations some requests may be lost. When this happens, the sessions from which the requests were lost are listed in the Dropped Requests report.

Domain Based on Query Main Entity
Exceptions Dropped Requests Exception
Run-Time Parameter Operator Default Value
Period From >= NOW -1 DAY
Period To <= NOW

Enterprise S-TAP Association History

Enterprise S-TAP® Association History reports on how long the S-TAP reported to the specific Guardium system in the Load balancer environment.

In order to see this report, you must schedule the CustomTableStapAssocicationJob. (It is not automatically scheduled by default.) For example, to schedule this job to run hourly, run the command: grdapi schedule_job cronString="0 0 0/1 ? * 1,2,3,4,5,6,7" jobType="customTableStapAssocication"

If you set the job to run hourly, you'll see S-TAP association changes with a one hour delay. If you need to see the changes sooner, you can schedule this job to run at more frequent intervals. However, there can be a tradeoff in central manager environments with a large number of S-TAPs, between frequency of reports and load on the system. If the S-TAPs move frequently, running this job every five minutes might burden the central manager. Set the frequency according to your needs, and your environment. To set the job to run every five minutes, run the command: grdapi schedule_job cronString="0 0/5 0/1 ? * 1,2,3,4,5,6,7" jobType="customTableStapAssocication"

Enterprise Buffer Usage Monitor

This report shows the aggregate of sniffer buffer usage from all managed units. There is a need to set the schedule for the upload. See the description of the Sniffer Buffer Usage entity for a description of the fields listed on this report.

Domain Based on Query Main Entity
Enterprise Buffer Usage Enterprise Buffer Usage Sniffer Buffer Usage
Run-Time Parameter Operator Default Value
Period From >= NOW -1 DAY
Period To <= NOW

Enterprise S-TAP (Detailed) View

See S-TAP Info (Central Manager) for information on this report.

Enterprise S-TAP View

See S-TAP Info (Central Manager) for information on this report.

Exception Count

For the reporting period, the total number of exceptions logged.

Domain Based on Query Main Entity
Exceptions Exception Count Exception
Run-Time Parameter Operator Default Value
Period From >= NOW -1 DAY
Period To <= NOW

Export Sensitive Data to Discovery

Guardium and InfoSphere® Discovery have mechanisms for the Classification of Sensitive Data.

A bidirectional interface is provided to transfer the identified sensitive data from Guardium to InfoSphere Discovery and from InfoSphere Discovery to Guardium.

This data will be transferred via CSV files. See External data correlation for further information.

Domain Based on Query Main Entity
Internal - not available Export Sensitive Data to Discovery Classification Process Results
Run-Time Parameter Operator Default Value
Period From >= NOW -3 HOURS
Period To <= NOW
Rule Description LIKE  
Schema LIKE  

External Tickets

Displays details of tickets that are created in Guardium and sent to external sources such as ServiceNow or Resilient.

Domain Based on Query Main Entity
Internal - not available External Ticket External Ticket
Run-Time Parameter Operator Default Value
Period From >= NOW -3 HOUR
Period To <= NOW
Enter Value for Guardium Source LIKE %
Enter Value for Ticket Number LIKE %
Refresh rate in seconds   0

FAM Config Change

Displays details about the changes in the File Activity Monitor (FAM) configuration.

Domain Based on Query Main Entity
Exceptions FAM Config Change Exception
Run-Time Parameter Operator Default Value
Period From >= NOW -3 HOUR
Period To <= NOW
Show Aliases Radio buttons (On, Off, Default) Default
Remote Data Source   Drop-down menu
Refresh rate in seconds   0

FAM Progress

Displays details about the progress of File Discovery, Entitlement and Classification (FDEC) scans for NAS and Sharepoint.
Note: FDEC does not provide live updates for removed objects. The numbers in the Removed Objects column always reflects the total number of removed objects.
Domain Based on Query Main Entity
Internal - not available Not available Not available
Run-Time Parameter Operator Default Value
Period From >= NOW -3 HOUR
Period To <= NOW
Enter Value for NAS or SP Host Name Like %
Enter Value for Source Directory Path Like %
Refresh rate in seconds   0

Full SQL

This report summarizes SQL commands performed by the user, or that run on the database (depending on the source).

Domain Based on Query Main Entity
Access Full SQL Full SQL
Run-Time Parameter Operator Default Value
Period From >= NOW -3 HOUR
Period To <= NOW
Enter Value for Service Name Like %
Enter Value for OS User Like %
Enter Value for DB User Name Like %
Enter Value for Server IP Like %
Show Aliases Radio buttons (On, Off, Default) Default
Remote Data Source   Drop-down menu
Refresh rate in seconds   0

Full SQL - Data Tampering

This is a filtered view of the full SQL report, showing only the results for data tampering.

Run-Time Parameter Operator Default Value
Period From >= NOW -3 HOUR
Period To <= NOW
Enter Value for Service Name Like %
Enter Value for DB User Name Like %
Enter Value for OS User Like %
Enter Value for Service Name Like %
Show Aliases Radio buttons (On, Off, Default) Default
Remote Data Source   Drop-down menu
Refresh rate in seconds   0

Full SQL - Massive Grants

This is a filtered view of the full SQL report, showing only the results for massive grants.

Run-Time Parameter Operator Default Value
Period From >= NOW -3 HOUR
Period To <= NOW
Enter Value for Server IP Like %
Enter Value for DB User Name Like %
Enter Value for OS User Like %
Enter Value for Service Name Like %
Show Aliases Radio buttons (On, Off, Default) Default
Remote Data Source   Drop-down menu
Refresh rate in seconds   0

Full SQL - Possible data leak

This is a filtered view of the full SQL report, showing only the results for possible data leaks.

Run-Time Parameter Operator Default Value
Period From >= NOW -3 HOUR
Period To <= NOW
Enter Value for Server IP Like %
Enter Value for DB User Name Like %
Enter Value for OS User Like %
Enter Value for Service Name Like %
Show Aliases Radio buttons (On, Off, Default) Default
Remote Data Source   Drop-down menu
Refresh rate in seconds   0

Full SQL - Schema tampering

This is a filtered view of the full SQL report, showing only the results for schema tampering.

Run-Time Parameter Operator Default Value
Period From >= NOW -3 HOUR
Period To <= NOW
Enter Value for Server IP Like %
Enter Value for DB User Name Like %
Enter Value for OS User Like %
Enter Value for Service Name Like %
Show Aliases Radio buttons (On, Off, Default) Default
Remote Data Source   Drop-down menu
Refresh rate in seconds   0

Full SQL By Client IP

Domain Based on Query Main Entity
Access Full SQL By Client IP Full SQL
Run-Time Parameter Operator Default Value
Period From >= NOW -3 HOUR
Period To <= NOW
Show Aliases Radio buttons (On, Off, Default) Default
Remote Data Source   Drop-down menu
Refresh rate in seconds   0

Full SQL by DB User

Domain Based on Query Main Entity
Access Full SQL by DB user Full SQL
Run-Time Parameter Operator Default Value
Period From >= NOW -3 HOUR
Period To <= NOW
Enter Value for DB User Name Like %
Show Aliases Radio buttons (On, Off, Default) Default
Remote Data Source   Drop-down menu
Refresh rate in seconds   0

Guardium Job Queue

Displays the Guardium Job Queue. Previously known as Classifier/Assessment Job Queue. For each job, it lists the Process Run ID, Process Type, Status, Guardium Job Process Id, Report Result Id, Guardium Job Description, Audit Task Description, Queue Time, Start Time, End Time, and Data Sources.

Domain Based on Query Main Entity
Internal - not available Guardium Job Queue Not available
Run-Time Parameter Operator Default Value
Period From >= NOW -1 DAY
Period To <= NOW
Enter Value for Job Description Like %
Enter Value for Process Type Like %
Show Aliases Radio buttons (On, Off, Both, Default) Default
Remote Data Source   Drop-down menu
Refresh Rate (seconds)   0

The job queue

Assessments and Classifications run in their own separate process called the job queue. Jobs are queued and have their status maintained while a listener periodically polls the queue looking for waiting jobs to run.

Stopping

Running jobs, when right-clicked for drill-down, there is an option to stop the running job and cancel it. The job can not be restarted at this point.

Halting

Running jobs are monitored to reduce the number of hung jobs that might cause the job queue to be come overloaded. If a job is inactive for 30 minutes, the listener is terminated and restarted, effectively stopping the operation of a job. Before the listener is restarted, a process called the cleaner runs, the status is set from RUNNING to HALTED, and then the listener is restarted. A status of HALTED means the job was not able to run to completion.

Resubmitting

Sometimes the listener gets restarted for reasons other than a job hanging, for example rebooting the machine. When the cleaner halts the running jobs, it will see if the job has responded in the past 8 minutes. If it has, the job will be copied and that copy will be resubmitted onto the job queue. The original halted will still display on the queue, and still have the results it was able to process available.

Monitoring

The mechanism by which jobs maintain their active status is by touching the timestamp on the job queue record. It is important to note that the job queue record is used for the entire job. Each individual classifier rule or assessment test interacts with the timestamp for its parent process, and they do not have individual timestamps that are monitored.

The classifier will update its timestamp before every rule is tested and after every SQL operation. For example, if the classifier is scanning the data in a database that supports paging, it will touch the timestamp after each batch of data is brought back from the database. This is because, depending on the state of the target database, the classifier has the potential to invoke some long-running queries that will be limited to 30 minutes of execution.

Assessments touch the timestamp after each test in the assessment is evaluated. Most assessment tests run in a few seconds or less.

Observed Tests

The exception to the relatively quick-running assessment tests is the category of observed assessment tests. These tests are based on queries and reports that use the internal sniffing data on the Guardium appliance and can run for longer periods of time and are unable to update the timestamp while they are in process. Therefore, observed assessment tests have their timestamps set two hours into the future when they are started, essentially giving them two hours and thirty minutes to run to conclusion. This can be confusing when looking at the job queue and seeing the timestamp set to a time in the future. Just like any other assessment test, when the observed test ends, the timestamp will be touched. If the next test is an observed test, the timestamp will once again be set two hours into the future. Otherwise, the timestamp will be set to the current time.

Guardium usage summary

Displays a list S-TAP hosts, number of processors per the Guardium License Metric Tool (ILMT), and the estimated number of processor value units (PVUs).

To calculate the accurate number of PVUs, see https://www-112.ibm.com/software/howtobuy/passportadvantage/pvucalculator/pvucalc.wss

Domain Based on Query Main Entity
Internal-not available Guardium usage summary Not available
Run-Time Parameter Operator Default Value
Period From >= NOW -3 HOUR
Period To <= NOW
Remote Data Source   Drop-down menu
Show Aliases Radio buttons (On, Off, Both, Default) Default
Refresh Rate (seconds)   0

GIM Clients Status

Displays a list of GIM clients, including the client name, OS, vendor, installation date, module name, module version, module state, module schedule, and the system the GIM module reports to.

Domain Based on Query Main Entity
GIM Clients Status GIM Clients Status GIM Clients
Run-Time Parameter Operator Default Value
Client Name % Not available
Client OS % Not available

GIM Events List

Displays a list of GIM Events.

Domain Based on Query Main Entity
GIM Events GIM Events GIM Events
Run-Time Parameter Operator Default Value
Period From >= NOW -1 DAY
Period To <= NOW

GIM Installed Modules

Displays a list of installed GIM Modules.
Note: This report shows the modules that have been associated with the host. If a module has been assigned to a host, the assigned version does appear in this report, even if the module has not yet been scheduled or installed. To check the currently installed module, review the GIM Client Status report.
Domain Based on Query Main Entity
GIM Installed Base GIM Installed Base GIM Installed
Run-Time Parameter Operator Default Value
none not applicable not applicable

Group Usage Report

Displays the list of all defined groups and all the entities that rely on each group.

Guardium API Exceptions

Displays a time stamp and description of all GuardAPI exceptions. These are jobs where the Exception Type ID is GUARD_API_EXCEPTION.

Domain Based on Query Main Entity
Exception Guardium API Exceptions Exception
Run-Time Parameter Operator Default Value
Period From >= NOW -1 DAY
Period To <= NOW

Guardium entitlement consolidation report (using ILMT)

This report provides details on active/inactive S-TAP installed on the data server. If the ILMT agent is installed, the report shows the processors value of the data server. If the ILMT agent is not installed, the processor value is blank. This report helps indicate the processor value of the server with an installed, and active S-TAP. The ILMT agent provides the processor value once an ILMT agent is installed; this report does not replace ILMT requirements in any sense (Follow ILMT compliance and audit requirements).

Domain Based on Query Main Entity
Internal-not available Guardium entitlement consolidation report Not available
Run-Time Parameter Operator Default Value
Period From >= NOW -3 HOUR
Period To <= NOW
Remote Data Source   Drop-down menu
Show Aliases Radio buttons (On, Off, Both, Default) Default
Refresh Rate (seconds)   0

Guardium Group Details

For the reporting period, each row of the report lists a group member. The columns contain the following information: Group Description, Group Type, Group Subtype, Timestamp (from the Group Member entity), Group Member, and count of Group Member entities for the row. The value of the timestamp is set to the current time whenever the record is updated.

You can restrict the output of this report using the run-time parameters, both of which are used with the LIKE operator and a default value of %, which selects all values.

Domain Based on Query Main Entity
Group Guardium Group Details Group Member
Run-Time Parameter Operator Default Value
Group Description LIKE %
Group Type LIKE %
Period From >= NOW -100 MONTH
Period To <= NOW

Guardium Users

Lists each user, date of last activity, and number of roles assigned. For each user, you can drill down to the Record Details report to see the roles assigned to that user.

Domain Based on Query Main Entity
Internal - not available User Role Not available
Run-Time Parameter Operator Default Value
Period From >= NOW -100 MONTH
Period To <= NOW

Host History (CAS)

This report lists CAS host events. The default sort order for this report is non-standard. The sort keys are, from major to minor: Host Name (ascending), Instance and Event Time (descending).

Domain Based on Query Main Entity
CAS Host History CAS Host History Host Event
Run-Time Parameter Operator Default Value
Host_Name Like %
OS_Type Like %
Event_Type Like %

Inactive Inspection Engines

Lists all inactive inspection engines

Domain Based on Query Main Entity
Internal - not available Inactive Inspection Engines S-TAP Verification Header
Run-Time Parameter Operator Default Value
Query from date >= NOW -3 HOUR
Query to date >= NOW

Inactive S-TAPs Since

Lists all inactive S-TAPs defined on the system. It has a single run-time parameter: Period From, which is set to now -1 hour by default. Use this parameter to control how you want to define inactive. This report contains the same columns of data for the S-TAP Status report with the addition of a count for each row of the report.

Domain Based on Query Main Entity
Internal - not available Inactive S-TAPs Since Not available
Run-Time Parameter Operator Default Value
Period From >= NOW -1 HOUR

Installed Patches

Displays the patches: Patch Number, Guardium Version, Patch Description, Patch Dependencies, Creation Date, Request Received, Installed By, Status, Status Description, Timestamp, Requested Schedule.

Domain Based on Query Main Entity
Installed Patches Installed Patches Installed Patch
Run-Time Parameter Operator Default Value
Refresh rate in seconds   0

Investigation dashboard issues

This report displays all Investigation dashboard issues that Monitoring and automatic recovery discovered, including those that are open, in progress, and fixed.

You can limit the output by setting the Guardium Host Name run-time parameter, which is set to % by default (to select all servers). This reduces the number of issues you see in the report.

Domain Based on Query Main Entity
Investigation dashboard issues Investigation dashboard issues Investigation dashboard issues
Run-Time Parameters Operator Default Value
Period From >= NOW -3 HOUR
Period To <= NOW
Host Name LIKE %

Investigation dashboard issues in recovery

This report displays the Investigation dashboard issues that Monitoring and automatic recovery is currently trying to fix.

Condition – Investigation Dashboard issue

Status = ‘Recovery in progress’

You can limit the output by setting the Guardium Host Name run-time parameter, which is set to % by default (to select all servers). This reduces the number of issues you see in the report.
Domain Based on Query Main Entity
Investigation dashboard issues Investigation dashboard issues in recovery Investigation dashboard issues
Run-Time Parameters Operator Default Value
Period From >= NOW -3 HOUR
Period To <= NOW
Host Name LIKE %

Investigation dashboard open issues

This report displays the Investigation dashboard issues that Monitoring and automatic recovery was not able to fix that require manual intervention to resolve

Condition – Investigation Dashboard

issue status = ‘Error’

You can limit the output by setting the Guardium Host Name run-time parameter, which is set to % by default (to select all servers). This reduces the number of issues you see in the report.
Domain Based on Query Main Entity
Investigation dashboard issues Investigation dashboard open issues Investigation dashboard issues
Run-Time Parameters Operator Default Value
Period From >= NOW -3 HOUR
Period To <= NOW
Host Name LIKE %

Logged R/T Alerts

For the reporting period, the total number of logged real time alerts, listed by rule description.

Domain Based on Query Main Entity
Policy Violations Logged R/T Alerts Policy Rule Violation
Run-Time Parameter Operator Default Value
Period From >= NOW -1 DAY
Period To <= NOW

Logged Threshold Alerts

For the reporting period, the total number of threshold alerts logged.

Domain Based on Query Main Entity
Alert Logged Alerts Threshold Alert Details
Run-Time Parameter Operator Default Value
Period From >= NOW -1 DAY
Period To <= NOW

Logging Collectors (valid only from aggregation unit)

The Logging Collectors report appears under the Daily Monitor Tab and it is valid only on an aggregator unit. This report shows the number of sessions per Server IP, per collector and per day. For example: on May 19, aggregator #1 collected 100 sessions for Server 192.168.x.x1, 50 sessions for Server 192.168.x.x2; aggregator #2 collected 30 sessions for Server 192.168.x.x3, 90 sessions for Server 192.168.x.x4; etc.

Domain Based on Query Main Entity
Exceptions Logging Collectors Logging Collectors
Run-Time Parameter Operator Default Value
Period From >= NOW -1 DAY
Period To <= NOW

Logins to Guardium

All values for this report are from the Guardium Logins entity. For the reporting period, each row of the report lists the User Name, Login Succeeded (1= Successful, 0=Failed, -1 =password expired, -2 = login from different IP), Login Date And Time, Logout Date And Time (which is blank if the user has not yet logged out), Host Name, Remote Address (of the user) and count of logins for the row.

Domain Based on Query Main Entity
Guardium Logins Guardium Logins Guardium Users Login
Run-Time Parameter Operator Default Value
Host Name LIKE %
Period From >= NOW -1 DAY
Period To <= NOW

Managed Units (Central Manager)

Enterprise report on a Central Manager that shows which managed units are up. Use this report in a Statistical Alert to send an email to an ADMIN anytime a managed unit is down.

Domain Based on Query Main Entity
Internal - not available Managed Units Managed Units
Run-Time Parameter Operator Default Value
Host Name LIKE %
Remote Data Source   Drop-down menu
Show Aliases   Radio buttons (On, Off, Default)

NAS File Activities

Displays details about the file activity in Network-Attached Storage (NAS) devices.

Domain Based on Query Main Entity
Access NAS File Activities Object/Command
Run-Time Parameter Operator Default Value
Period From >= NOW -3 HOUR
Show Aliases Radio buttons (On, Off, Default) Default
Remote Data Source   Drop-down menu
Refresh Rate (seconds)   0

Number of Active Audit Processes

Number of active Guardium audit processes. When central management is used, this report contains data only on the Central Manager, and is empty on all managed units (the standard message, No data found for requested query, displays). There are no run-time parameters for this report.

Domain Based on Query Main Entity
Audit Process Number of Active Processes Audit Process

Oracle Unified Audit Activity

This report presents the server, client, and database details for the logged Oracle traffic.

Domain Based on Query Main Entity
Access Oracle Unified Audit Activity STAP SQL Configuration
Run-Time Parameter Operator Default Value
Period From >= NOW -3 HOUR
Period To <= NOW
Refresh Rate (seconds)   0

Oracle Unified Audit (S-TAP configuration) Activity

This report shows details of the S-TAP and host configurations for Oracle Unified Auditing, the data pull interval and number of rows, and the timeout.

Domain Based on Query Main Entity
S-TAP Status Oracle Unified Audit (S-TAP Configuration) Activity Client/Server by Session
Run-Time Parameter Operator Default Value
Period From >= NOW -3 HOUR
Period To <= NOW
Refresh Rate (seconds)   0

Outstanding Audit Process Reviews

Number of outstanding Guardium audit processes, listed by Guardium users.

Table 1. Outstanding Audit Process Reviews
Domain Based on Query Main Entity
Audit Process Outstanding Audit Process Reviews Task Results To-Do List

Primary Guardium Host Change Log

Log of primary host changes for S-TAPs. The primary host is the Guardium unit to which the S-TAP sends data. Each line of the report lists the S-TAP Host, Guardium Host Name, Period Start and Period End.

Domain Based on Query Main Entity
Internal - not available Primary SGuard host change log Not available
Run-Time Parameter Operator Default Value
Period From >= NOW -1 DAY
Period To <= NOW

Query Entities and Attributes

This report lists all the entities and attributes in Guardium reports and was created to simplify the linkage between the Guardium attributes to the GuardAPI calls.

Use this report to also invoke Use this report to also invoke create_constant_attribute, create_api_parameter_mapping, delete_api_parameter_mapping, or list_param_mapping_for_function.

Domain Based on Query Main Entity
Any of Guardium reporting domains Any of the entities for the reporting domain Any of the attributes within the entity
Run-Time Parameter Operator Default Value
Report Name Like

if <> '%' it will show only the domain/entity and attributes used by reports that match the new parameter.

IF '%' then all domains, queries and attributes are displayed (including those not used by any report).

not applicable not applicable

Replay Statistics

This report shows Replay Statistics for Execution Start/End Date; Configuration Name; Schedule Setup Name; Job Status; Statistic Description; Session ID; Successful Queries; Failed Queries; Total Queries; Type; Active/Waiting/Completed Tasks.

Domain Based on Query Main Entity
Replay Results Tracking Replay Statistics Replay Result Statistics
Run-Time Parameter Operator Default Value
Query from date >= NOW -1 DAY
Query to date <= NOW
Session >= Not available
Session <= Not available

Replay Summary

For the reporting period, a measure of what query failed or succeeded. Checkmark required in Replay Configuration for Query Failed or Query Succeeded.

Domain Based on Query Main Entity
Replay Results Replay Summary Replay Results
Run-Time Parameter Operator Default Value
Query from date >= NOW -1 DAY
Query to date <= NOW
Results status % Not available
Schedule setup name % Not available

Request Rate

By default, displays the request rate for the last two hours. This graphical report is intended to display recent activity only. If you alter the run-time parameters to include a larger timeframe, you may receive a message indicating that there is too much data. Use a tabular report to display a larger time period.

Domain Based on Query Main Entity
Sniffer Buffer Request Rate Sniffer Buffer Usage Monitor
Run-Time Parameter Operator Default Value
Period From >= NOW -2 HOUR
Period To <= NOW

Restored Data

This report has two columns: RESTORED_DAY and EXPIRATION_DATE. When the user restores data from archive, this table is populated according to the data restored and the duration specified for keeping this data. The purge process looks at this table to determine what data can be purged and cleans up records that expired. RESTORED_DAY is the date of the data that was restored and is in the past. EXPIRATION_DATE is the date when this data will be purged and is a date in the future.

Domain Based on Query Main Entity
Restored Data Restored Data Restored Data
Run-Time Parameter Operator Default Value
Period From >= NOW -10 DAY
Period To <= NOW +10 DAY

Risky Users - Connection Profiling List

This report is the Connection Profiling List, filtered for risky users.

Domain Based on Query Main Entity
Access Connection Profiling List Client Server
Run-Time Parameter Operator Default Value
Query from date >= NOW -1 DAY
Query to date <= NOW
Client IP/Src App/DB User/Server IP/Svc Name not like group Connection Profiling List
Client IP/Src App/DB User/Server IP/Svc Name like group Risk Spotter - Risky Users

Risky Users - Policy Violation

This report is the Policy Violation, filtered for risky users.

Domain Based on Query Main Entity
Policy Violations Risky Users - Policy Violation Policy Rule Violation
Run-Time Parameter Operator Default Value
Client IP/Src App/DB User/Server IP/Svc Name like group Risk Spotter - Risky Users
Policy Rule Violation:Severity >= 1

Risky Users - SQL Errors

This report is the SQL Errors report, filtered for risky users.

Domain Based on Query Main Entity
Exception Risky Users - SQL Errors Exception
Run-Time Parameter Operator Default Value
Exception Type:Exception Type Description like Database%Server%
Client IP/Src App/DB User/Server IP/Svc Name like group Risk Spotter - Risky Users

Runtime Sensitive Object Identifier

Displays output from the Runtime Sensitive Object Identifier session level policy. For more information, see Runtime sensitive-object identification.
Domain Based on Query Main Entity
Runtime Sensitive Object Identifier Runtime Sensitive Object Identifier Runtime Sensitive Object Identifier

Scheduled Job Exceptions

Displays a timestamp and the description for each scheduled job exception (including assessment errors). . These are jobs where the Exception Type ID is one of the following: SCHED_JOB_EXCEPTION, ASSESSMENT_EXCEPTION, or ASMT_ERROR.

Domain Based on Query Main Entity
Sniffer Buffer CPU Usage Sniffer Buffer Usage
Run-Time Parameter Operator Default Value
Period From >= NOW -2 HOUR
Period To <= NOW

Scheduled Jobs

Displays the list of currently scheduled jobs.

Domain Based on Query Main Entity
Internal - not available Scheduled Jobs Not available

Session Count

For the reporting period, the total number of different sessions open.

Domain Based on Query Main Entity
Access Session Count Session
Run-Time Parameter Operator Default Value
Period From >= NOW -1 DAY
Period To <= NOW

SharePoint File Activities

Displays details about the file activity in a SharePoint environment.

Domain Based on Query Main Entity
Access SharePoint File Activities Object/Command
Run-Time Parameter Operator Default Value
Period From >= NOW -3 HOUR
Show Aliases Radio buttons (On, Off, Default) Default
Remote Data Source   Drop-down menu
Refresh Rate (seconds)   0

SQL Count

For the reporting period, the total number of different SQL commands issued.

Domain Based on Query Main Entity
Access SQL Count SQL
Run-Time Parameter Operator Default Value
Period From >= NOW -1 DAY
Period To <= NOW

S-TAP Agent Upgrade Pre-Check

Before starting a GIM upgrade, you can check whether any of the database servers that host Linux-UNIX S-TAP agents need to be rebooted during the S-TAP upgrade. This check is for GIM upgrades only; it does not cover any other upgrade scenarios.

If the bundles were installed from the managed unit, run the report on the managed unit. If all clients are managed by the central manager (all GIM clients point to the central manager, which is best practice and the recommended setup), run the report from the central manager. The reboot status of GIM clients that point to a managed unit is not captured in a report that is run on the central manager. Verify that the GIM agent is installed on the database server before you run the report (relevant for upgrades from a non-GIM installation). (None of the other modules or bundles need to be installed). All database servers that are listed in the report will need reboot.

There are no run-time parameters. This reporting domain is system-only.

Columns: S-TAP Host, Installed by GIM, GIM Parameter Name, Live Update.

Run-Time Parameter Operator Default Value
Refresh rate in seconds   0

S-TAP agent with WINSTAP_CMD_LINE parameter

Displays details of what values exist in the WINSTAP_CMD_LINE field for all Windows S-TAPs.

Windows only: This report is available only for Windows systems.

There are no run-time parameters.

Columns: S-TAP Host, WINSTAP_CMD_LINE Parameter Value.

Domain Based on Query Main Entity
Internal - not available Internal - not available GIM Clients

S-TAP Configuration Change History

This report is displayed only when an inspection engine is added or changed. It lists the S-TAP configuration changes; each inspection engine change appears on a separate row. Each row lists the S-TAP Host, DB Server Type, DB Port From, DB Port To, DB Client IP, DB Client Mask, and Timestamp for the change.

Domain Based on Query Main Entity
Internal - not available Configuration Change History Not available
Run-Time Parameter Operator Default Value
Period From >= NOW -1 DAY
Period To <= NOW

S-TAP Events

Use this report for information on the S-TAP (from SOFTWARE_TAP_EVENT table in internal database).

Domain Based on Query Main Entity
Internal - not available S-TAP Events Not available
Run-Time Parameter Operator Default Value
event type LIKE %
host type LIKE %
Period From >= NOW -3 DAY
Period To <= NOW

S-TAP Info (Central Manager)

On a Central Manager, an additional report, S-TAP Info, is available. This report monitors S-TAPs of the entire environment. Upload this data using the Custom Table Builder.

S-TAP info is a predefined custom domain which contains the S-TAP Info entity and is not modifiable like the entitlement domain.

When defining a custom query, go to upload page and click Check/Repair to create the custom table in CUSTOM database, otherwise save query will not validate it. This table loads automatically from all remote sources. A user cannot select which remote sources are used - it pulls from all of them.

Based on this custom table and custom domain, there are two reports:

Enterprise S-TAP View shows, from the Central Manager, information on an active S-TAP on a collector and/or managed unit (If there are duplicates for the same S-TAP engine, one being active and one being inactive, then the report only uses the active).

Detailed Enterprise S-TAP View shows, from the Central Manager, information on all active and inactive S-TAPs on all collectors and/or managed units.

If the Enterprise S-STAP View and Detailed Enterprise S-TAP View look the same, it is because there only one S-TAP on one managed unit being displayed. The Detailed Enterprise S-TAP View would look different if there are more S-TAPs and more managed units involved.

There is an Alert: Inspection Engines and S-TAP that alerts once a day on any activity related to inspection engine and S-TAP configuration. See Predefined Alerts.

S-TAP Last Response

Pre-defined query and report are available, but not added to any panels.

The query/report displays All S-TAP Hosts and the last response (heartbeat) sent by each host.

The purpose of this query is to be able to define an alert that triggers when an S-TAP on a host did not respond for a given period of time.

The input parameters are: Last response From, and, Last Response To.

For example, when executed with Last response From = NOW -5 DAYS and Last Response To = NOW - 3 HOURS, it displays the host name and the last response time for those hosts that sent the last response in the last 5 days, but had no response in the last 3 hours.

S-TAP Status

Displays status information about each inspection engine defined on each S-TAP Host. This report has no From and To date parameters, since it is reporting current status. Each row of the report lists all the Guardium Hosts, DB Exec File, DB Server Type, Status, Last Response, Primary Host Name, Yes/No indicators for the following attributes: KTAP Installed, Shared Memory Driver Installed, DB2 Shared Memory Driver Installed, Named Pipes Driver Installed, and App Server Installed. In addition, it lists the Hunter DBS.

Note: The DB2 shared memory driver has been superseded by the DB2 Tap feature.
Domain Based on Query Main Entity
Internal - not available S-TAP Status Not available

S-TAP Status Monitor

For each S-TAP reporting to this Guardium appliance, this report identifies the S-TAP Host, S-TAP Version, DB Server Type, Status (active or inactive), Last Response Received (date and time), Primary Host Name, and true/false indicators for: KTAP, MS SQL Server Shared Memory, DB2 Shared Memory, Local TCP monitoring, Named Pipes Usage, and Encryption; and the Guardium Hosts column that lists all hosts.

This report has no run-time parameters, and is based on a system-only query that cannot be modified.

S-TAP Uninstall Events

Uninstalling an S-TAP could be evidence of harmful activity. This report details S-TAP uninstall events.

Domain Based on Query Main Entity
Internal - not available Not available Not available
Run-Time Parameter Operator Default Value
Period From >= NOW -3 HOUR
Period To <= NOW
Show Aliases Radio buttons (On, Off, Default) Default
Remote Data Source   Drop-down menu
Refresh rate in seconds   0

S-TAP Verification

List all results of S-TAP verifications, including: DB server type, Inspection engine identfier, Port range, Last response from S-TAP, Inspection engine status, Last verification time, Verification schedules, Next scheduled time, Datasource name, Datasource description, Verification type, Instance name, KTAP, MSS shm,WinDb2 shm Win TCP, Pipes, Encrypted?, Firewall installed, DB install dir, Load balancing, Alternate IPs, TLS, DB Exec File.

Domain Based on Query Main Entity
Internal - not available S-TAP Verification S-TAP Verification Header
Run-Time Parameter Operator Default Value
Query from date >= NOW -3 HOUR
Query to date >= NOW

STAP/Z Files

STAP/Z provides files with raw data collected from DB2 (on z/OS®) containing DB2 events, SQL statements, etc. This report lists an Interface ID, UA file name (Un-normalized Audit Event), UT file name (Un-normalized Audit Event text), UH file name (Un-normalized Audit Event host variables), File Status, Total Number of Events Processed, Number of Events Failed, and Timestamp. The Run-time parameters are FileName Like % and FileStatus Like %.

This report has two run-time parameters, FileName Like % and FileStatus Like %. It is based on a system-only query that cannot be modified.

Symptoms

Domain Based on Query Main Entity
Eagle Eye Symptoms Symptompe
Run-Time Parameter Operator Default Value
Period From >= NOW -3 HOUR
Period To <= NOW
Enter Value for Case ID Like %
Show Aliases Radio buttons (On, Off, Default) Default
Remote Data Source   Drop-down menu
Refresh rate in seconds   0

TCP Exceptions

For the reporting period, for each exception where the Exception Description of the Exception Type entity is TCP/IP Protocol Exception, a row of this report lists the following attribute values from the Exception entity: Exception Timestamp, Exception Description, Source Address, Destination Address, Source Port, Destination Port, and count of Exceptions for that row.

Domain Based on Query Main Entity
Exceptions TCP Exceptions Exception
Run-Time Parameter Operator Default Value
Period From >= NOW -1 DAY
Period To <= NOW

Templates (CAS)

This report lists CAS templates. By default, all template items are listed.

Domain Based on Query Main Entity
CAS Templates CAS Templates Template
Run-Time Parameter Operator Default Value
Access_Name Like %
Template_Set_Name Like %
Audit_Type Like %

Test Detail Exception

This report lists all the test detail exceptions that are applied to a security assessment.

Domain Based on Query Main Entity
Internal - not available Test Detail Exceptions Not available
Run-Time Parameter Operator Default Value
Period From >= NOW -3 HOUR
Period To <= NOW
Approver LIKE %
Exception Type LIKE %
Exception Detail LIKE %
Test Description LIKE %
Datasource Group LIKE %
Datasource Name LIKE %
Assessment LIKE %
Refresh Rate in seconds   0

Test Exceptions Original report and Test Exceptions report

Both reports indicate pairs of tests and datasources that are exempted temporarily. The Test Exceptions report is a more comprehensive version of the Test exceptions Original report.

Test Exceptions Original report

Use the following selections to configure the Test Exceptions Original report:
Domain Based on Query Main Entity
Internal - not available Test Exceptions Not available
Run-Time Parameter Operator Default Value
Period From >= NOW -12 MONTH
Period To <= NOW

Test Exceptions report

Use the following selections to configure the Test Exceptions report:
Domain Based on Query Main Entity
Internal - not available Test Exceptions Not available
Run-Time Parameter Operator Default Value
Period From >= NOW -3 HOUR
Period To <= NOW
Approver LIKE %
Test Description LIKE %
Datasource Group LIKE %
Datasource Name LIKE %
Assessment LIKE %
Refresh Rate in seconds   0

Threat analytics case for analysis

When a case is assigned in the active threat analytics page, this report is sent to the assignee. It includes the case details and its observations.

Domain Based on Query Main Entity
Active Threat Analytics Threat analytics case for analysis Analytic case observation
Run-Time Parameter Operator Default Value
Case number =  
Period From >= NOW -3 HOURS
Period To <= NOW

Threat Analytics Case Observations

This is a drill down report from the open cases and the closed cases reports. It shows the case's observations.

Domain Based on Query Main Entity
Active Threat Analytics Threat analytics case observations Analytic case observation
Run-Time Parameter Operator Default Value
Case number =  
Period From >= NOW -3 HOURS
Period To <= NOW

Threat analytics closed cases

Domain Based on Query Main Entity
Active Threat Analytics Threat analytics closed cases Analytic case
Run-Time Parameter Operator Default Value
Period From >= NOW -3 HOURS
Period To <= NOW

Threat analytics open cases

Domain Based on Query Main Entity
Active Threat Analytics Threat analytics open cases Analytic case
Run-Time Parameter Operator Default Value
Period From >= NOW -3 HOURS
Period To <= NOW

Threat finder run log

This report gives results of the threat finder runs.

Domain Based on Query Main Entity
Analytic Outliers Status Threat Finder Run Log Analytic status
Run-Time Parameter Operator Default Value
Period From >= NOW -3 HOURS
Period To <= NOW
Show Aliases   Radio buttons (On, Off, Default)
Remote Data Source   Drop-down menu
Refresh rate in seconds   0

Throughput

For each Access Period in the reporting period, each row lists the Period Start time, the count of Server IP addresses, and the total number of accesses (Access Period entities).

You can restrict the output of this report using the Server IP run time parameter, which by default is set to % to select all IP addresses.

Domain Based on Query Main Entity
Internal - not available DB Server Throughput Not available
Run-Time Parameter Operator Default Value
Period From >= NOW -1 DAY
Period To <= NOW
Server IP LIKE %

Throughput (graphical)

This report is a Distributed Label Line chart version of the tabular Throughput report. It plots the total number of accesses over the reporting period, one data point per Period Start time.

You can restrict the output of this report using the Server IP run time parameter, which by default is set to % to select all IP addresses.

Domain Based on Query Main Entity
Access DB Server Throughput - Chart Access Period
Run-Time Parameter Operator Default Value
Period From >= NOW -1 DAY
Period To <= NOW
Server IP LIKE %

User Activity Audit Trail Reports

The User Activity Audit Trail menu selection displays two reports. In addition, from each of those reports, a third report can be produced. See:
  • User Activity Audit Trail
  • System/Security Activities
  • Detailed Guardium User Activity (Drill-Down)

User Activity Audit Trail

For the reporting period, for each User Name seen on a Guardium User Activity Audit entity, each row displays the Guardium User Name, an Activity Type Description (from the Guardium Activity Types entity), a Count of Modified Entity values, the Host Name, and the total number of Guardium Activity Audits entities for that row.

From any row of the this report, the Detailed Guardium User Activity report is available as a drill-down report.

Domain Based on Query Main Entity
Guardium Activity User Activity Audit Trail Guardium User Activity Audit
Run-Time Parameter Operator Default Value
Host Name LIKE %
Period From >= NOW -1 DAY
Period To <= NOW

System/Security Activities

For the reporting period, for each User Name seen on a Guardium User Activity Audit entity, each row displays the Guardium User Name, an Activity Type Description (from the Guardium Activity Types entity), a Count of Modified Entity values, the Host Name, and the total number of Guardium Activity Audits entities for that row.

From any row of the this report, the Detailed Guardium User Activity report is available as a drill-down report.

Domain Based on Query Main Entity
Guardium Activity User Activity Audit Trail Guardium User Activity Audit
Run-Time Parameter Operator Default Value
Host Name LIKE %
Period From >= NOW -1 DAY
Period To <= NOW

Detailed Guardium User Activity (Drill-Down)

This report is not available from the menu, but can be opened for any row of the User Activity Audit Trail report, or the System/Security Activities report. For the selected row of the report, based on the User Name and Activity Type Description, this report lists the following attribute values, all of which are from the Guardium User Activity Audit entity, except for the Activity Type Description, which is from the Guardium Activity Types entity: User Name, Timestamp, Modified Entity, Object Description, All Values, and a count of Guardium User Activity Audits entities for the row.

Domain Based on Query Main Entity
Guardium Activity Detailed Guardium User Activity Guardium User Activity Audit
Run-Time Parameter Operator Default Value
Activity Type Description   value from calling report
Period From >= NOW -1 DAY
Period To <= NOW
User Name   value from calling report
Warning: Users should be aware that activities of the root user, and other sensitive system accounts, are logged. Drilling down into the activity of these users may show sensitive commands and passwords that have been entered on the command line. Therefore users, whenever possible, should not enter sensitive command line information that they would not like to show on this drill-down report.

User Comments - Sharable

Sharable user comments are all comments except for inspection engine, installed policy, and audit process results comments. For each sharable user comment, this report lists the date created, the type of object referenced (an alert, for example), the object description, the user who created the comment, and the contents of the comment.

Note: Comments defined for inspection engines, installed policies, or audit process results can be viewed from the individual definitions, but they cannot be displayed on a report.
Domain Based on Query Main Entity
Comments Comments Defined Comments
Run-Time Parameter Operator Default Value
Period From >= NOW -2 MONTH
Period To <= NOW

User To-Do Lists

Displays for each Guardium audit process: a description, login name, action required (review or approve), status, user who has signed or reviewed, and execution date of the specified task.

Domain Based on Query Main Entity
Internal - not available Users To-do List Not available
Run-Time Parameter Operator Default Value
Period From >= NOW -1 DAY
Period To <= NOW

Unit Utilization Levels

The following default reports provide unit utilization data:
  • Unit Utilization: Displays the maximum unit utilization level for each unit in the given timeframe. There is a drill-down that displays details for a unit across all periods within the timeframe of the report.
  • Unit Utilization Distribution: Per-unit, this report displays the percent of periods in the report timeframe with utilization levels of low, medium, and high.
  • Utilization Thresholds: This predefined report displays all low and high threshold values for all unit utilization parameters.
  • Unit Utilization Daily Summary: Provides a daily summary of unit utilization data.
Domain Based on Query Main Entity
Internal - not available Unit Utilization Distribution Unit Utilization Levels
Run-Time Parameter Operator Default Value
Period From >= NOW -24 HOUR
Period To <= NOW

Values Changed

For the reporting period, this report provides detailed information about monitored value changes. All attribute values displayed are from the Monitor Values entity. The query this report is based upon has a non-standard sorting sequence, as follows:
  • Server IP
  • DB Type
  • Audit Timestamp
  • Audit Table Name
  • Audit Owner

The query this report is based upon has a number of run-time parameters, all of which use the LIKE operator and default to the value %, meaning all values will be selected.

For each monitored value selected, a row of the report lists the Timestamp, Server IP, DB Type, Service Name, Database Name, Audit Login Name, Audit Timestamp, Audit Table Name, Audit Owner, Audit Action, Audit Old Value, Audit New Value, SQL Text, Triggered ID, and a count of Change Columns entities for that row.

Domain Based on Query Main Entity
Value Changed Values Changed Changed Columns
Run-Time Parameter Operator Default Value
Audit Action LIKE %
Audit Login Name LIKE %
Audit Owner LIKE %
Audit Table Name LIKE %
DB Type LIKE %
Period From >= NOW -1 DAY
Period To <= NOW
Server IP LIKE %